Overview

overview

10

Static

static

SecuriteIn...81.rtf

windows7-x64

10

SecuriteIn...81.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    152s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Exploit.CVE-2018-0798.4.7145.26581.rtf

  • Size

    7KB

  • MD5

    48761a16dd96c10f032b32475c748e37

  • SHA1

    7dc04a878bb273a6406b68cdafeb71b62dccf1ad

  • SHA256

    d213681bdb5ce1ca9f353ca5c8b6d45fca9de882b79f6e6708898096817427dd

  • SHA512

    513e265766b595f9dce532209c60913e89dfe813eb4c1e0fec724c9549fe03cedb7de1aa4ec2f8505f7d9b4202ddd4fd11a2bf9d6464b0ca924a862ab02f0c0c

  • SSDEEP

    192:iz9E7DX8Lu5f0FwU4b06jHmi02d2dZrSrlSO5IUfMAogjJHm:4UwKLHYGHX02sZrSr7FMAo8lm

Score
10/10
formbookwh23ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.7145.26581.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1248
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"
          3⤵
            PID:1884
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Users\Admin\AppData\Roaming\name.exe
          "C:\Users\Admin\AppData\Roaming\name.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
            "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe" C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:680
            • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
              "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:788

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du
        Filesize

        5KB

        MD5

        5cd14824d28319bfcac1b2e3cd8b532d

        SHA1

        49ed57453b9612e0ece3540b9740f613298a8644

        SHA256

        ae65f540f6bef4b0723294768991c65f88095de096c9f636ba4c2de7f095c7bf

        SHA512

        84bdd85fe9e34fcde4ab3abd57d670a7cd2694b160686aac8958c0a00aef066dffaeaa778f8c617431c2af5b4678d292f482a5de81ae33cbfbadce1e930f061b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
        Filesize

        12KB

        MD5

        a8c4431de2a0d976a45531402b8bf869

        SHA1

        21c57e797f9bf60103751b697b5e7323b22bee2d

        SHA256

        8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

        SHA512

        740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
        Filesize

        12KB

        MD5

        a8c4431de2a0d976a45531402b8bf869

        SHA1

        21c57e797f9bf60103751b697b5e7323b22bee2d

        SHA256

        8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

        SHA512

        740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
        Filesize

        12KB

        MD5

        a8c4431de2a0d976a45531402b8bf869

        SHA1

        21c57e797f9bf60103751b697b5e7323b22bee2d

        SHA256

        8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

        SHA512

        740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\srumdm.hcb
        Filesize

        185KB

        MD5

        e923ffb3d4001485b028c1db73a2ad7d

        SHA1

        3974f858666c8ca752a93296a299e15e1c8228c8

        SHA256

        60240106d022b45f07902409a59611dd93c388b982608130194a38d6ee4fcf31

        SHA512

        0ce9501f722d51471fe648b632f7546770570c919ca314f1253344c83c24365ac39fe9fa93a3fda617725131f3898f7cc0fe5250bcc7e586b7ea6a4f54f96c1f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\name.exe
        Filesize

        398KB

        MD5

        c25c9877c55e1c43283910d400d91e2c

        SHA1

        e75a014931488473a0f220a81e83742f3afc66b7

        SHA256

        70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0

        SHA512

        77f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04

        Download Submit
      • C:\Users\Admin\AppData\Roaming\name.exe
        Filesize

        398KB

        MD5

        c25c9877c55e1c43283910d400d91e2c

        SHA1

        e75a014931488473a0f220a81e83742f3afc66b7

        SHA256

        70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0

        SHA512

        77f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04

        Download Submit
      • \Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
        Filesize

        12KB

        MD5

        a8c4431de2a0d976a45531402b8bf869

        SHA1

        21c57e797f9bf60103751b697b5e7323b22bee2d

        SHA256

        8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

        SHA512

        740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

        Download Submit
      • \Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
        Filesize

        12KB

        MD5

        a8c4431de2a0d976a45531402b8bf869

        SHA1

        21c57e797f9bf60103751b697b5e7323b22bee2d

        SHA256

        8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

        SHA512

        740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

        Download Submit
      • \Users\Admin\AppData\Roaming\name.exe
        Filesize

        398KB

        MD5

        c25c9877c55e1c43283910d400d91e2c

        SHA1

        e75a014931488473a0f220a81e83742f3afc66b7

        SHA256

        70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0

        SHA512

        77f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04

        Download Submit
      • memory/680-66-0x0000000000000000-mapping.dmp
        Download
      • memory/776-80-0x00000000017A0000-0x00000000017BB000-memory.dmp
        Filesize

        108KB

        Download
      • memory/776-83-0x00000000009E0000-0x0000000000A73000-memory.dmp
        Filesize

        588KB

        Download
      • memory/776-86-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/776-82-0x0000000000C10000-0x0000000000F13000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/776-81-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/776-78-0x0000000000000000-mapping.dmp
        Download
      • memory/788-76-0x00000000001A0000-0x00000000001B4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/788-74-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/788-75-0x0000000000890000-0x0000000000B93000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/788-72-0x000000000041F110-mapping.dmp
        Download
      • memory/1248-85-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1248-84-0x0000000000000000-mapping.dmp
        Download
      • memory/1256-87-0x0000000007090000-0x0000000007199000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1256-77-0x0000000006340000-0x00000000064A2000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1256-88-0x0000000007090000-0x0000000007199000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1788-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1884-79-0x0000000000000000-mapping.dmp
        Download
      • memory/2040-54-0x0000000072661000-0x0000000072664000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2040-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2040-57-0x00000000762D1000-0x00000000762D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2040-55-0x00000000700E1000-0x00000000700E3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2040-58-0x00000000710CD000-0x00000000710D8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/2040-89-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2040-90-0x00000000710CD000-0x00000000710D8000-memory.dmp
        Filesize

        44KB

        Download